[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla
--- Comment From boris.m...@de.ibm.com 2023-01-15 11:13 EDT--- Fix is now available in focal, jammy and kinetic, therefore we can close this bug. Thanks everyone for your work! ==> Changing the status to: CLOSED -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla
This bug was not opened against linux-xilinx-zynqmp and the s390-tools package is not relevant for this. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla
--- Comment From peter.oberparlei...@de.ibm.com 2022-11-11 03:49 EDT--- (In reply to comment #12) > Created attachment 156118 [details] > 0001-s390-boot-add-secure-boot-trailer.patch I verified that this patch correctly adds the required secure boot trailer for v5.4 kernels. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: In Progress Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: In Progress Status in linux source package in Jammy: In Progress Status in linux source package in Kinetic: In Progress Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla
--- Comment From peter.oberparlei...@de.ibm.com 2022-11-10 10:24 EDT--- (In reply to comment #8) > In the focal master-next tree file 'vmlinux.lds.S' is at a different > location: 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' > and the context is also slightly different. > > Would you please have a look at the attached backport for focal and confirm > that it's correct? > Since it has this add. block: > " > . = ALIGN(256); > .bss : { > _bss = . ; > *(.bss) > *(.bss.*) > *(COMMON) > . = ALIGN(8); /* For convenience during zeroing */ > _ebss = .; > } > " The sb_trailer block needs to move to before the .bss definition, and replaces the ALIGN(256) line. Otherwise kernel image sizes will be unnecessarily increased by the size of the discarded bss section. It should look something like this: _compressed_start = .; *(.vmlinux.bin.compressed) _compressed_end = .; - FILL(0xff); - . = ALIGN(4096); } - . = ALIGN(256); + +#define SB_TRAILER_SIZE 32 + /* Trailer needed for Secure Boot */ + . += SB_TRAILER_SIZE; /* make sure .sb.trailer does not overwrite the previous section */ + . = ALIGN(4096) - SB_TRAILER_SIZE; + .sb.trailer : { + QUAD(0) + QUAD(0) + QUAD(0) + QUAD(0x00207a49504c) + } + .bss : { _bss = . ; *(.bss) > Looks like we commented in parallel. > Yes, backport will be helpful. Ok, will try to work on that. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add secure boot trailer Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: New Status in linux source package in Jammy: New Status in linux source package in Kinetic: New Bug description: Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla
--- Comment From peter.oberparlei...@de.ibm.com 2022-11-10 08:55 EDT--- (In reply to comment #6) > So commit aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure > boot trailer" was just upstream accepted with v6.1-rc3. > And it got tagged for upstream stable with: > "Cc: # 5.2+" > That means that it will ideally automatically land over time in all Ubuntu > kernels, down to focal's 5.4. Unfortunately the automated stable backport to v5.4, v5.10, and v5.14 failed because the source file that is modified by this patch was moved around: https://lore.kernel.org/stable/166719900013...@kroah.com/ > But since this bug is marked as critical, the patch is relatively short, > traceable and s390x-specific, I'll go ahead and submit this patch for Jammy > and Focal ahead of upstream stable. In addition to the work you plan, I could provide an adjusted stable backport for the upstream targets for which automatic backport failed. Would this help get this patch into any more Ubuntu versions? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add secure boot trailer Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: New Status in linux source package in Jammy: New Status in linux source package in Kinetic: New Bug description: Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp